Auth: Add support for role mapping and allowed groups in Google OIDC (#76266)

* support google oauth allowed_groups. unify allowed groups logic

* add role mapping for google oauth

* add documentation

* add addendums

* remove extra isGroupMember

* add to sample ini

* Apply suggestions from code review

Co-authored-by: Gabriel MABILLE <gamab@users.noreply.github.com>

---------

Co-authored-by: Gabriel MABILLE <gamab@users.noreply.github.com>

conf/defaults.ini

@@ -644,7 +644,11 @@ token_url = https://oauth2.googleapis.com/token
 api_url = https://openidconnect.googleapis.com/v1/userinfo
 allowed_domains =
 hosted_domain =
-skip_org_role_sync = false
+allowed_groups =
+role_attribute_path =
+role_attribute_strict = false
+allow_assign_grafana_admin = false
+skip_org_role_sync = true
 tls_skip_verify_insecure = false
 tls_client_cert =
 tls_client_key =
@@ -828,7 +832,7 @@ assume_role_enabled = true
 list_metrics_page_limit = 500
 
 # Experimental, for use in Grafana Cloud only. Please do not set.
-external_id = 
+external_id =
 
 #################################### Azure ###############################
 [azure]
@@ -1226,7 +1230,7 @@ url =
 
 # Tenant ID to use in requests to the Alertmanager.
 # It will also be used for the basic auth username.
-tenant = 
+tenant =
 
 # Optional password for basic authentication.
 # If not present, the tenant ID will be set in the X-Scope-OrgID header.

conf/sample.ini

@@ -626,6 +626,10 @@
 ;api_url = https://openidconnect.googleapis.com/v1/userinfo
 ;allowed_domains =
 ;hosted_domain =
+;allowed_groups =
+;role_attribute_path =
+;role_attribute_strict = false
+;allow_assign_grafana_admin = false
 ;skip_org_role_sync = false
 ;use_pkce = true
 
@@ -781,7 +785,7 @@
 ; list_metrics_page_limit = 500
 
 # Experimental, for use in Grafana Cloud only. Please do not set.
-; external_id = 
+; external_id =
 
 #################################### Azure ###############################
 [azure]